Created
October 19, 2022 05:10
-
-
Save gouthampacha/c0d96966670956761b2b620be730efe2 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
manila$ tox -e bandit | |
/opt/stack/manila/.tox/bandit/lib/python3.8/site-packages/setuptools/command/easy_install.py:144: EasyInstallDeprecationWarning: easy_install command is deprecated. Use build and pip and other standards-based tools. | |
warnings.warn( | |
/opt/stack/manila/.tox/bandit/lib/python3.8/site-packages/setuptools/command/install.py:34: SetuptoolsDeprecationWarning: setup.py install is deprecated. Use build and pip and other standards-based tools. | |
warnings.warn( | |
bandit develop-inst-noop: /opt/stack/manila | |
bandit installed: alabaster==0.7.12,alembic==1.8.1,amqp==5.1.1,appdirs==1.4.4,attrs==22.1.0,autopage==0.5.1,Babel==2.10.3,bandit==1.7.4,bashate==2.1.0,bcrypt==4.0.0,cachetools==5.2.0,certifi==2022.9.14,cffi==1.15.1,charset-normalizer==2.1.1,cliff==4.0.0,cmd2==2.4.2,coverage==6.4.4,cryptography==38.0.1,ddt==1.6.0,debtcollector==2.5.0,decorator==5.1.1,dnspython==2.2.1,docutils==0.19,dogpile.cache==1.1.8,dulwich==0.20.46,eventlet==0.33.1,extras==1.0.0,fasteners==0.18,fixtures==4.0.1,flake8==3.8.4,future==0.18.2,futurist==2.4.1,gitdb==4.0.9,GitPython==3.1.27,greenlet==1.1.3,hacking==3.1.0,idna==3.4,imagesize==1.4.1,importlib-metadata==4.12.0,importlib-resources==5.9.0,iso8601==1.0.2,Jinja2==3.1.2,jmespath==1.0.1,jsonpatch==1.32,jsonpointer==2.3,jsonschema==4.16.0,keystoneauth1==5.0.0,keystonemiddleware==10.1.0,kombu==5.2.4,lxml==4.9.1,Mako==1.2.2,-e git+https://opendev.org/openstack/manila@b8fdf9b9e758fa0945504d1da651445dab8350d7#egg=manila,MarkupSafe==2.1.1,mccabe==0.6.1,msgpack==1.0.4,munch==2.5.0,netaddr==0.8.0,netifaces==0.11.0,openstackdocstheme==3.0.0,openstacksdk==0.101.0,os-api-ref==2.3.0,os-client-config==2.1.0,os-service-types==1.7.0,osc-lib==2.6.2,oslo.cache==3.1.0,oslo.concurrency==5.0.1,oslo.config==9.0.0,oslo.context==5.0.0,oslo.db==12.1.0,oslo.i18n==5.1.0,oslo.log==5.0.0,oslo.messaging==14.0.0,oslo.metrics==0.5.0,oslo.middleware==5.0.0,oslo.policy==4.0.0,oslo.privsep==3.0.1,oslo.reports==2.4.0,oslo.rootwrap==6.3.1,oslo.serialization==5.0.0,oslo.service==3.0.0,oslo.upgradecheck==2.0.0,oslo.utils==6.0.1,oslotest==4.5.0,osprofiler==3.4.3,packaging==21.3,paramiko==2.11.0,Paste==3.5.2,PasteDeploy==2.1.1,pbr==5.10.0,pkgutil_resolve_name==1.3.10,prettytable==3.4.1,prometheus-client==0.14.1,psutil==5.9.2,psycopg2-binary==2.9.3,pycadf==3.1.1,pycodestyle==2.6.0,pycparser==2.21,pyflakes==2.2.0,Pygments==2.13.0,pyinotify==0.9.6,PyMySQL==1.0.2,PyNaCl==1.5.0,pyOpenSSL==22.0.0,pyparsing==3.0.9,pyperclip==1.8.2,pyrsistent==0.18.1,python-cinderclient==9.1.0,python-dateutil==2.8.2,python-glanceclient==4.1.0,python-keystoneclient==5.0.1,python-neutronclient==8.1.0,python-novaclient==18.1.0,python-subunit==1.4.0,pytz==2022.2.1,PyYAML==6.0,repoze.lru==0.7,requests==2.28.1,requests-mock==1.10.0,requestsexceptions==1.4.0,rfc3986==2.0.0,Routes==2.5.1,simplejson==3.17.6,six==1.16.0,smmap==5.0.0,snowballstemmer==2.2.0,Sphinx==5.1.1,sphinxcontrib-applehelp==1.0.2,sphinxcontrib-devhelp==1.0.2,sphinxcontrib-htmlhelp==2.0.0,sphinxcontrib-jsmath==1.0.1,sphinxcontrib-qthelp==1.0.3,sphinxcontrib-serializinghtml==1.1.5,SQLAlchemy==1.4.41,sqlalchemy-migrate==0.13.0,sqlparse==0.4.2,statsd==3.3.0,stestr==4.0.0,stevedore==4.0.0,Tempita==0.5.2,tenacity==8.0.1,testresources==2.0.1,testscenarios==0.5.0,testtools==2.5.0,tooz==3.1.0,urllib3==1.26.12,vine==5.0.0,voluptuous==0.13.1,warlock==2.0.1,wcwidth==0.2.5,WebOb==1.8.7,wrapt==1.14.1,yappi==1.3.6,zipp==3.8.1 | |
bandit run-test-pre: PYTHONHASHSEED='1755623407' | |
bandit run-test: commands[0] | bandit -r manila -x tests -n5 | |
[main] INFO profile include tests: None | |
[main] INFO profile exclude tests: None | |
[main] INFO cli include tests: None | |
[main] INFO cli exclude tests: None | |
[main] INFO running on Python 3.8.10 | |
449 [0.. 50.. 100.. 150.. 200.. 250.. 300.. 350.. 400.. ] | |
Run started:2022-10-19 05:04:37.406472 | |
Test results: | |
>> Issue: [B102:exec_used] Use of exec detected. | |
Severity: Medium Confidence: High | |
CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html) | |
Location: manila/cmd/manage.py:168:8 | |
More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b102_exec_used.html | |
166 arguments: path | |
167 """ | |
168 exec(compile(open(path).read(), path, 'exec'), locals(), globals()) | |
169 | |
170 | |
-------------------------------------------------- | |
>> Issue: [B108:hardcoded_tmp_directory] Probable insecure usage of temp file/directory. | |
Severity: Medium Confidence: Medium | |
CWE: CWE-377 (https://cwe.mitre.org/data/definitions/377.html) | |
Location: manila/data/manager.py:39:16 | |
More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b108_hardcoded_tmp_directory.html | |
37 cfg.StrOpt( | |
38 'mount_tmp_location', | |
39 default='/tmp/', | |
40 help="Temporary path to create and mount shares during migration."), | |
41 cfg.BoolOpt( | |
-------------------------------------------------- | |
>> Issue: [B112:try_except_continue] Try, Except, Continue detected. | |
Severity: Low Confidence: High | |
CWE: CWE-703 (https://cwe.mitre.org/data/definitions/703.html) | |
Location: manila/network/linux/ip_lib.py:349:12 | |
More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b112_try_except_continue.html | |
347 try: | |
348 subnet = device_route_line.split()[0] | |
349 except Exception: | |
350 continue | |
351 subnet_route_list_lines = self._run( | |
-------------------------------------------------- | |
>> Issue: [B101:assert_used] Use of assert detected. The enclosed code will be removed when compiling to optimised byte code. | |
Severity: Low Confidence: High | |
CWE: CWE-703 (https://cwe.mitre.org/data/definitions/703.html) | |
Location: manila/rpc.py:74:4 | |
More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b101_assert_used.html | |
72 def cleanup(): | |
73 global TRANSPORT, NOTIFICATION_TRANSPORT, NOTIFIER | |
74 assert TRANSPORT is not None | |
75 assert NOTIFICATION_TRANSPORT is not None | |
76 assert NOTIFIER is not None | |
-------------------------------------------------- | |
>> Issue: [B101:assert_used] Use of assert detected. The enclosed code will be removed when compiling to optimised byte code. | |
Severity: Low Confidence: High | |
CWE: CWE-703 (https://cwe.mitre.org/data/definitions/703.html) | |
Location: manila/rpc.py:75:4 | |
More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b101_assert_used.html | |
73 global TRANSPORT, NOTIFICATION_TRANSPORT, NOTIFIER | |
74 assert TRANSPORT is not None | |
75 assert NOTIFICATION_TRANSPORT is not None | |
76 assert NOTIFIER is not None | |
77 TRANSPORT.cleanup() | |
-------------------------------------------------- | |
>> Issue: [B101:assert_used] Use of assert detected. The enclosed code will be removed when compiling to optimised byte code. | |
Severity: Low Confidence: High | |
CWE: CWE-703 (https://cwe.mitre.org/data/definitions/703.html) | |
Location: manila/rpc.py:76:4 | |
More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b101_assert_used.html | |
74 assert TRANSPORT is not None | |
75 assert NOTIFICATION_TRANSPORT is not None | |
76 assert NOTIFIER is not None | |
77 TRANSPORT.cleanup() | |
78 NOTIFICATION_TRANSPORT.cleanup() | |
-------------------------------------------------- | |
>> Issue: [B101:assert_used] Use of assert detected. The enclosed code will be removed when compiling to optimised byte code. | |
Severity: Low Confidence: High | |
CWE: CWE-703 (https://cwe.mitre.org/data/definitions/703.html) | |
Location: manila/rpc.py:146:4 | |
More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b101_assert_used.html | |
144 | |
145 def get_client(target, version_cap=None, serializer=None): | |
146 assert TRANSPORT is not None | |
147 serializer = RequestContextSerializer(serializer) | |
148 return messaging.RPCClient(TRANSPORT, | |
-------------------------------------------------- | |
>> Issue: [B101:assert_used] Use of assert detected. The enclosed code will be removed when compiling to optimised byte code. | |
Severity: Low Confidence: High | |
CWE: CWE-703 (https://cwe.mitre.org/data/definitions/703.html) | |
Location: manila/rpc.py:155:4 | |
More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b101_assert_used.html | |
153 | |
154 def get_server(target, endpoints, serializer=None): | |
155 assert TRANSPORT is not None | |
156 access_policy = dispatcher.DefaultRPCAccessPolicy | |
157 serializer = RequestContextSerializer(serializer) | |
-------------------------------------------------- | |
>> Issue: [B101:assert_used] Use of assert detected. The enclosed code will be removed when compiling to optimised byte code. | |
Severity: Low Confidence: High | |
CWE: CWE-703 (https://cwe.mitre.org/data/definitions/703.html) | |
Location: manila/rpc.py:168:4 | |
More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b101_assert_used.html | |
166 @utils.if_notifications_enabled | |
167 def get_notifier(service=None, host=None, publisher_id=None): | |
168 assert NOTIFIER is not None | |
169 if not publisher_id: | |
170 publisher_id = "%s.%s" % (service, host or CONF.host) | |
-------------------------------------------------- | |
>> Issue: [B311:blacklist] Standard pseudo-random generators are not suitable for security/cryptographic purposes. | |
Severity: Low Confidence: High | |
CWE: CWE-330 (https://cwe.mitre.org/data/definitions/330.html) | |
Location: manila/scheduler/drivers/chance.py:58:25 | |
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b311-random | |
56 raise exception.NoValidHost(reason=msg) | |
57 | |
58 return hosts[int(random.random() * len(hosts))] | |
59 | |
60 def schedule_create_share(self, context, request_spec, filter_properties): | |
-------------------------------------------------- | |
>> Issue: [B311:blacklist] Standard pseudo-random generators are not suitable for security/cryptographic purposes. | |
Severity: Low Confidence: High | |
CWE: CWE-330 (https://cwe.mitre.org/data/definitions/330.html) | |
Location: manila/service.py:167:32 | |
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b311-random | |
165 if self.periodic_interval: | |
166 if self.periodic_fuzzy_delay: | |
167 initial_delay = random.randint(0, self.periodic_fuzzy_delay) | |
168 else: | |
169 initial_delay = None | |
-------------------------------------------------- | |
>> Issue: [B110:try_except_pass] Try, Except, Pass detected. | |
Severity: Low Confidence: High | |
CWE: CWE-703 (https://cwe.mitre.org/data/definitions/703.html) | |
Location: manila/service.py:242:8 | |
More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b110_try_except_pass.html | |
240 try: | |
241 self.rpcserver.stop() | |
242 except Exception: | |
243 pass | |
244 | |
-------------------------------------------------- | |
>> Issue: [B104:hardcoded_bind_all_interfaces] Possible binding to all interfaces. | |
Severity: Medium Confidence: Medium | |
CWE: CWE-605 (https://cwe.mitre.org/data/definitions/605.html) | |
Location: manila/service.py:322:54 | |
More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b104_hardcoded_bind_all_interfaces.html | |
320 rpc.init(CONF) | |
321 self.app = self.loader.load_app(name) | |
322 self.host = getattr(CONF, '%s_listen' % name, "0.0.0.0") | |
323 self.port = getattr(CONF, '%s_listen_port' % name, 0) | |
324 self.workers = getattr(CONF, '%s_workers' % name, None) | |
-------------------------------------------------- | |
>> Issue: [B108:hardcoded_tmp_directory] Probable insecure usage of temp file/directory. | |
Severity: Medium Confidence: Medium | |
CWE: CWE-377 (https://cwe.mitre.org/data/definitions/377.html) | |
Location: manila/share/drivers/container/driver.py:80:23 | |
More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b108_hardcoded_tmp_directory.html | |
78 "is used to provide storage for a share."), | |
79 cfg.StrOpt("container_volume_mount_path", | |
80 default="/tmp/shares", | |
81 help="Folder name in host to which logical volume will be " | |
82 "mounted prior to providing access to it from a " | |
-------------------------------------------------- | |
>> Issue: [B410:blacklist] Using etree to parse untrusted XML data is known to be vulnerable to XML attacks. Replace etree with the equivalent defusedxml package. | |
Severity: Low Confidence: High | |
CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html) | |
Location: manila/share/drivers/dell_emc/common/enas/xml_api_parser.py:19:0 | |
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_imports.html#b410-import-lxml | |
17 import re | |
18 | |
19 from lxml import etree | |
20 | |
21 | |
22 class XMLAPIParser(object): | |
23 def __init__(self): | |
-------------------------------------------------- | |
>> Issue: [B307:blacklist] Use of possibly insecure function - consider using safer ast.literal_eval. | |
Severity: Medium Confidence: High | |
CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html) | |
Location: manila/share/drivers/dell_emc/common/enas/xml_api_parser.py:67:20 | |
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b307-eval | |
65 if func in vars(XMLAPIParser): | |
66 if action == 'start': | |
67 eval('self.' + func)(elem, result) | |
68 elif action == 'end': | |
69 eval('self.' + func)() | |
-------------------------------------------------- | |
>> Issue: [B307:blacklist] Use of possibly insecure function - consider using safer ast.literal_eval. | |
Severity: Medium Confidence: High | |
CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html) | |
Location: manila/share/drivers/dell_emc/common/enas/xml_api_parser.py:69:20 | |
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b307-eval | |
67 eval('self.' + func)(elem, result) | |
68 elif action == 'end': | |
69 eval('self.' + func)() | |
70 | |
71 return result | |
-------------------------------------------------- | |
>> Issue: [B410:blacklist] Using builder to parse untrusted XML data is known to be vulnerable to XML attacks. Replace builder with the equivalent defusedxml package. | |
Severity: Low Confidence: High | |
CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html) | |
Location: manila/share/drivers/dell_emc/plugins/powermax/object_manager.py:19:0 | |
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_imports.html#b410-import-lxml | |
17 import re | |
18 | |
19 from lxml import builder | |
20 from lxml import etree as ET | |
21 from oslo_concurrency import processutils | |
-------------------------------------------------- | |
>> Issue: [B410:blacklist] Using etree to parse untrusted XML data is known to be vulnerable to XML attacks. Replace etree with the equivalent defusedxml package. | |
Severity: Low Confidence: High | |
CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html) | |
Location: manila/share/drivers/dell_emc/plugins/powermax/object_manager.py:20:0 | |
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_imports.html#b410-import-lxml | |
18 | |
19 from lxml import builder | |
20 from lxml import etree as ET | |
21 from oslo_concurrency import processutils | |
22 from oslo_log import log | |
-------------------------------------------------- | |
>> Issue: [B307:blacklist] Use of possibly insecure function - consider using safer ast.literal_eval. | |
Severity: Medium Confidence: High | |
CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html) | |
Location: manila/share/drivers/dell_emc/plugins/powermax/object_manager.py:52:32 | |
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b307-eval | |
50 for item in obj_types: | |
51 key = item.__name__ | |
52 self.context[key] = eval(key)(self.connectors, | |
53 elt_maker, | |
54 xml_parser, | |
-------------------------------------------------- | |
>> Issue: [B311:blacklist] Standard pseudo-random generators are not suitable for security/cryptographic purposes. | |
Severity: Low Confidence: High | |
CWE: CWE-330 (https://cwe.mitre.org/data/definitions/330.html) | |
Location: manila/share/drivers/dell_emc/plugins/unity/connection.py:741:15 | |
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b311-random | |
739 def _choose_port(sp_ports_map, sp): | |
740 ports = sp_ports_map[sp.get_id()] | |
741 return random.choice(list(ports)) | |
742 | |
743 @staticmethod | |
-------------------------------------------------- | |
>> Issue: [B410:blacklist] Using builder to parse untrusted XML data is known to be vulnerable to XML attacks. Replace builder with the equivalent defusedxml package. | |
Severity: Low Confidence: High | |
CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html) | |
Location: manila/share/drivers/dell_emc/plugins/vnx/object_manager.py:19:0 | |
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_imports.html#b410-import-lxml | |
17 import re | |
18 | |
19 from lxml import builder | |
20 from lxml import etree as ET | |
21 from oslo_concurrency import processutils | |
-------------------------------------------------- | |
>> Issue: [B410:blacklist] Using etree to parse untrusted XML data is known to be vulnerable to XML attacks. Replace etree with the equivalent defusedxml package. | |
Severity: Low Confidence: High | |
CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html) | |
Location: manila/share/drivers/dell_emc/plugins/vnx/object_manager.py:20:0 | |
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_imports.html#b410-import-lxml | |
18 | |
19 from lxml import builder | |
20 from lxml import etree as ET | |
21 from oslo_concurrency import processutils | |
22 from oslo_log import log | |
-------------------------------------------------- | |
>> Issue: [B307:blacklist] Use of possibly insecure function - consider using safer ast.literal_eval. | |
Severity: Medium Confidence: High | |
CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html) | |
Location: manila/share/drivers/dell_emc/plugins/vnx/object_manager.py:52:32 | |
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b307-eval | |
50 for item in obj_types: | |
51 key = item.__name__ | |
52 self.context[key] = eval(key)(self.connectors, | |
53 elt_maker, | |
54 xml_parser, | |
-------------------------------------------------- | |
>> Issue: [B608:hardcoded_sql_expressions] Possible SQL injection vector through string-based query construction. | |
Severity: Medium Confidence: Medium | |
CWE: CWE-89 (https://cwe.mitre.org/data/definitions/89.html) | |
Location: manila/share/drivers/ganesha/manager.py:622:27 | |
More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b608_hardcoded_sql_expressions.html | |
620 out = self.execute( | |
621 "sqlite3", self.ganesha_db_path, | |
622 bumpcode + 'select * from ganesha where key = "exportid";', | |
623 run_as_root=False)[0] | |
624 match = re.search(r'\Aexportid\|(\d+)$', out) | |
-------------------------------------------------- | |
>> Issue: [B104:hardcoded_bind_all_interfaces] Possible binding to all interfaces. | |
Severity: Medium Confidence: Medium | |
CWE: CWE-605 (https://cwe.mitre.org/data/definitions/605.html) | |
Location: manila/share/drivers/ganesha/utils.py:150:35 | |
More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b104_hardcoded_bind_all_interfaces.html | |
148 """ | |
149 if access_rule['access_to'] == '0.0.0.0/0': | |
150 access_rule['access_to'] = '0.0.0.0' | |
151 LOG.debug("Set access_to field to '0.0.0.0' in ganesha back end.") | |
152 | |
-------------------------------------------------- | |
>> Issue: [B405:blacklist] Using xml.etree.cElementTree to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.cElementTree with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called. | |
Severity: Low Confidence: High | |
CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html) | |
Location: manila/share/drivers/glusterfs/common.py:20:0 | |
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_imports.html#b405-import-xml-etree | |
18 | |
19 import re | |
20 import xml.etree.cElementTree as etree | |
21 | |
22 from oslo_config import cfg | |
23 from oslo_log import log | |
-------------------------------------------------- | |
>> Issue: [B313:blacklist] Using xml.etree.cElementTree.fromstring to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.cElementTree.fromstring with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called | |
Severity: Medium Confidence: High | |
CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html) | |
Location: manila/share/drivers/glusterfs/common.py:258:17 | |
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b313-b320-xml-bad-celementtree | |
256 ) | |
257 | |
258 volxml = etree.fromstring(out) | |
259 self.xml_response_check(volxml, args[1:], './volInfo/volumes/count') | |
260 for e in volxml.findall(".//option"): | |
-------------------------------------------------- | |
>> Issue: [B313:blacklist] Using xml.etree.cElementTree.fromstring to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.cElementTree.fromstring with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called | |
Severity: Medium Confidence: High | |
CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html) | |
Location: manila/share/drivers/glusterfs/common.py:285:21 | |
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b313-b320-xml-bad-celementtree | |
283 | |
284 try: | |
285 optxml = etree.fromstring(out) | |
286 except Exception: | |
287 # non-xml output indicates that GlusterFS backend does not support | |
-------------------------------------------------- | |
>> Issue: [B405:blacklist] Using xml.etree.cElementTree to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.cElementTree with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called. | |
Severity: Low Confidence: High | |
CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html) | |
Location: manila/share/drivers/glusterfs/layout_directory.py:23:0 | |
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_imports.html#b405-import-xml-etree | |
21 from oslo_config import cfg | |
22 from oslo_log import log | |
23 import xml.etree.cElementTree as etree | |
24 | |
25 from manila import exception | |
26 from manila.i18n import _ | |
-------------------------------------------------- | |
>> Issue: [B313:blacklist] Using xml.etree.cElementTree.fromstring to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.cElementTree.fromstring with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called | |
Severity: Medium Confidence: High | |
CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html) | |
Location: manila/share/drivers/glusterfs/layout_directory.py:242:17 | |
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b313-b320-xml-bad-celementtree | |
240 raise | |
241 | |
242 volxml = etree.fromstring(out) | |
243 usage_byte = volxml.find('./volQuota/limit/used_space').text | |
244 usage = utils.translate_string_size_to_float(usage_byte) | |
-------------------------------------------------- | |
>> Issue: [B405:blacklist] Using xml.etree.cElementTree to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.cElementTree with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called. | |
Severity: Low Confidence: High | |
CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html) | |
Location: manila/share/drivers/glusterfs/layout_volume.py:24:0 | |
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_imports.html#b405-import-xml-etree | |
22 import string | |
23 import tempfile | |
24 import xml.etree.cElementTree as etree | |
25 | |
26 from oslo_config import cfg | |
27 from oslo_log import log | |
-------------------------------------------------- | |
>> Issue: [B311:blacklist] Standard pseudo-random generators are not suitable for security/cryptographic purposes. | |
Severity: Low Confidence: High | |
CWE: CWE-330 (https://cwe.mitre.org/data/definitions/330.html) | |
Location: manila/share/drivers/glusterfs/layout_volume.py:319:22 | |
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b311-random | |
317 # even distribution of share backing volumes among | |
318 # Gluster clusters. | |
319 chosen_host = random.choice(list(chosen_hostmap.keys())) | |
320 # Within a host's volumes, choose alphabetically first, | |
321 # to make it predictable. | |
-------------------------------------------------- | |
>> Issue: [B313:blacklist] Using xml.etree.cElementTree.fromstring to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.cElementTree.fromstring with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called | |
Severity: Medium Confidence: High | |
CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html) | |
Location: manila/share/drivers/glusterfs/layout_volume.py:564:21 | |
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b313-b320-xml-bad-celementtree | |
562 ) | |
563 | |
564 outxml = etree.fromstring(out) | |
565 opret = int(common.volxml_get(outxml, 'opRet')) | |
566 operrno = int(common.volxml_get(outxml, 'opErrno')) | |
-------------------------------------------------- | |
>> Issue: [B313:blacklist] Using xml.etree.cElementTree.fromstring to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.cElementTree.fromstring with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called | |
Severity: Medium Confidence: High | |
CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html) | |
Location: manila/share/drivers/glusterfs/layout_volume.py:606:17 | |
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b313-b320-xml-bad-celementtree | |
604 ) | |
605 | |
606 outxml = etree.fromstring(out) | |
607 gluster_mgr.xml_response_check(outxml, args[1:]) | |
608 | |
-------------------------------------------------- | |
>> Issue: [B501:request_with_no_cert_validation] Requests call with verify=False disabling SSL certificate checks, security issue. | |
Severity: High Confidence: High | |
CWE: CWE-295 (https://cwe.mitre.org/data/definitions/295.html) | |
Location: manila/share/drivers/hitachi/hsp/rest.py:36:15 | |
More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b501_request_with_no_cert_validation.html | |
34 def _send_post(self, url, payload=None): | |
35 resp = requests.post(url, auth=(self.username, self.password), | |
36 data=payload, verify=False) | |
37 | |
38 if resp.status_code == 202: | |
39 self._wait_job_status(resp.headers['location'], 'COMPLETE') | |
-------------------------------------------------- | |
>> Issue: [B501:request_with_no_cert_validation] Requests call with verify=False disabling SSL certificate checks, security issue. | |
Severity: High Confidence: High | |
CWE: CWE-295 (https://cwe.mitre.org/data/definitions/295.html) | |
Location: manila/share/drivers/hitachi/hsp/rest.py:47:15 | |
More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b501_request_with_no_cert_validation.html | |
45 def _send_get(self, url, payload=None): | |
46 resp = requests.get(url, auth=(self.username, self.password), | |
47 data=payload, verify=False) | |
48 | |
49 if resp.status_code == 200: | |
50 if resp.content == 'null': | |
-------------------------------------------------- | |
>> Issue: [B501:request_with_no_cert_validation] Requests call with verify=False disabling SSL certificate checks, security issue. | |
Severity: High Confidence: High | |
CWE: CWE-295 (https://cwe.mitre.org/data/definitions/295.html) | |
Location: manila/share/drivers/hitachi/hsp/rest.py:61:15 | |
More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b501_request_with_no_cert_validation.html | |
59 def _send_delete(self, url, payload=None): | |
60 resp = requests.delete(url, auth=(self.username, self.password), | |
61 data=payload, verify=False) | |
62 | |
63 if resp.status_code == 202: | |
64 self._wait_job_status(resp.headers['location'], 'COMPLETE') | |
-------------------------------------------------- | |
>> Issue: [B303:blacklist] Use of insecure MD2, MD4, MD5, or SHA1 hash function. | |
Severity: Medium Confidence: High | |
CWE: CWE-327 (https://cwe.mitre.org/data/definitions/327.html) | |
Location: manila/share/drivers/hpe/hpe_3par_driver.py:360:15 | |
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b303-md5 | |
358 file_size = os.path.getsize(source_file) | |
359 | |
360 sha1 = hashlib.sha1() | |
361 sha1.update(("blob %u\0" % file_size).encode('utf-8')) | |
362 | |
-------------------------------------------------- | |
>> Issue: [B405:blacklist] Using ElementTree to parse untrusted XML data is known to be vulnerable to XML attacks. Replace ElementTree with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called. | |
Severity: Low Confidence: High | |
CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html) | |
Location: manila/share/drivers/huawei/huawei_nas.py:17:0 | |
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_imports.html#b405-import-xml-etree | |
15 | |
16 """Huawei Nas Driver for Huawei storage arrays.""" | |
17 from xml.etree import ElementTree as ET | |
18 | |
19 from oslo_config import cfg | |
20 from oslo_log import log | |
-------------------------------------------------- | |
>> Issue: [B314:blacklist] Using xml.etree.ElementTree.parse to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.ElementTree.parse with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called | |
Severity: Medium Confidence: High | |
CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html) | |
Location: manila/share/drivers/huawei/huawei_nas.py:88:19 | |
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b313-b320-xml-bad-elementtree | |
86 | |
87 try: | |
88 tree = ET.parse(filename) | |
89 root = tree.getroot() | |
90 except Exception as err: | |
-------------------------------------------------- | |
>> Issue: [B311:blacklist] Standard pseudo-random generators are not suitable for security/cryptographic purposes. | |
Severity: Low Confidence: High | |
CWE: CWE-330 (https://cwe.mitre.org/data/definitions/330.html) | |
Location: manila/share/drivers/huawei/v3/connection.py:1392:29 | |
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b311-random | |
1390 # Set AD config. | |
1391 digits = string.digits | |
1392 random_id = ''.join([random.choice(digits) for i in range(9)]) | |
1393 system_name = constants.SYSTEM_NAME_PREFIX + random_id | |
1394 | |
-------------------------------------------------- | |
>> Issue: [B405:blacklist] Using ElementTree to parse untrusted XML data is known to be vulnerable to XML attacks. Replace ElementTree with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called. | |
Severity: Low Confidence: High | |
CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html) | |
Location: manila/share/drivers/huawei/v3/helper.py:20:0 | |
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_imports.html#b405-import-xml-etree | |
18 import requests | |
19 import time | |
20 from xml.etree import ElementTree as ET | |
21 | |
22 from oslo_log import log | |
23 from oslo_serialization import jsonutils | |
-------------------------------------------------- | |
>> Issue: [B314:blacklist] Using xml.etree.ElementTree.parse to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.ElementTree.parse with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called | |
Severity: Medium Confidence: High | |
CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html) | |
Location: manila/share/drivers/huawei/v3/helper.py:188:15 | |
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b313-b320-xml-bad-elementtree | |
186 logininfo = {} | |
187 filename = self.configuration.manila_huawei_conf_file | |
188 tree = ET.parse(filename) | |
189 root = tree.getroot() | |
190 RestURL = root.findtext('Storage/RestURL') | |
-------------------------------------------------- | |
>> Issue: [B314:blacklist] Using xml.etree.ElementTree.parse to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.ElementTree.parse with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called | |
Severity: Medium Confidence: High | |
CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html) | |
Location: manila/share/drivers/huawei/v3/helper.py:373:19 | |
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b313-b320-xml-bad-elementtree | |
371 filename = self.configuration.manila_huawei_conf_file | |
372 try: | |
373 tree = ET.parse(filename) | |
374 root = tree.getroot() | |
375 except Exception as err: | |
-------------------------------------------------- | |
>> Issue: [B105:hardcoded_password_string] Possible hardcoded password: 'manilanobody' | |
Severity: Low Confidence: Medium | |
CWE: CWE-259 (https://cwe.mitre.org/data/definitions/259.html) | |
Location: manila/share/drivers/macrosan/macrosan_helper.py:99:26 | |
More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b105_hardcoded_password_string.html | |
97 else: | |
98 user_name = 'manilanobody' | |
99 user_passwd = 'manilanobody' | |
100 group_name = 'manilanobody' | |
101 ret = self._ensure_user(user_name, user_passwd, group_name) | |
-------------------------------------------------- | |
>> Issue: [B410:blacklist] Using etree to parse untrusted XML data is known to be vulnerable to XML attacks. Replace etree with the equivalent defusedxml package. | |
Severity: Low Confidence: High | |
CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html) | |
Location: manila/share/drivers/netapp/dataontap/client/api.py:24:0 | |
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_imports.html#b410-import-lxml | |
22 import re | |
23 | |
24 from lxml import etree | |
25 from oslo_log import log | |
26 from oslo_serialization import jsonutils | |
-------------------------------------------------- | |
>> Issue: [B105:hardcoded_password_string] Possible hardcoded password: 'basic_auth' | |
Severity: Low Confidence: Medium | |
CWE: CWE-259 (https://cwe.mitre.org/data/definitions/259.html) | |
Location: manila/share/drivers/netapp/dataontap/client/api.py:71:23 | |
More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b105_hardcoded_password_string.html | |
69 EVSERVER_MIGRATION_TO_NON_AFF_CLUSTER = '13172984' | |
70 | |
71 STYLE_LOGIN_PASSWORD = 'basic_auth' | |
72 TRANSPORT_TYPE_HTTP = 'http' | |
73 TRANSPORT_TYPE_HTTPS = 'https' | |
-------------------------------------------------- | |
>> Issue: [B303:blacklist] Use of insecure MD2, MD4, MD5, or SHA1 hash function. | |
Severity: Medium Confidence: High | |
CWE: CWE-327 (https://cwe.mitre.org/data/definitions/327.html) | |
Location: manila/share/drivers/netapp/dataontap/client/client_cmode.py:1561:22 | |
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b303-md5 | |
1559 self.configure_dns(security_service) | |
1560 | |
1561 config_name = hashlib.md5( | |
1562 security_service['id'].encode("latin-1")).hexdigest() | |
1563 api_args = { | |
1564 'ldap-client-config': config_name, | |
-------------------------------------------------- | |
>> Issue: [B303:blacklist] Use of insecure MD2, MD4, MD5, or SHA1 hash function. | |
Severity: Medium Confidence: High | |
CWE: CWE-327 (https://cwe.mitre.org/data/definitions/327.html) | |
Location: manila/share/drivers/netapp/dataontap/client/client_cmode.py:1622:12 | |
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b303-md5 | |
1620 def _delete_ldap_client(self, security_service): | |
1621 config_name = ( | |
1622 hashlib.md5(security_service['id'].encode("latin-1")).hexdigest()) | |
1623 api_args = {'ldap-client-config': config_name} | |
1624 self.send_request('ldap-client-delete', api_args) | |
-------------------------------------------------- | |
>> Issue: [B303:blacklist] Use of insecure MD2, MD4, MD5, or SHA1 hash function. | |
Severity: Medium Confidence: High | |
CWE: CWE-327 (https://cwe.mitre.org/data/definitions/327.html) | |
Location: manila/share/drivers/netapp/dataontap/client/client_cmode.py:1629:22 | |
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b303-md5 | |
1627 def configure_ldap(self, security_service, timeout=30): | |
1628 """Configures LDAP on Vserver.""" | |
1629 config_name = hashlib.md5( | |
1630 security_service['id'].encode("latin-1")).hexdigest() | |
1631 self._create_ldap_client(security_service) | |
1632 self._enable_ldap_client(config_name, timeout=timeout) | |
-------------------------------------------------- | |
>> Issue: [B303:blacklist] Use of insecure MD2, MD4, MD5, or SHA1 hash function. | |
Severity: Medium Confidence: High | |
CWE: CWE-327 (https://cwe.mitre.org/data/definitions/327.html) | |
Location: manila/share/drivers/netapp/dataontap/client/client_cmode.py:1657:12 | |
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b303-md5 | |
1655 | |
1656 new_config_name = ( | |
1657 hashlib.md5( | |
1658 new_security_service['id'].encode("latin-1")).hexdigest()) | |
1659 # Create ldap config with the new client | |
1660 api_args = {'client-config': new_config_name, 'client-enabled': 'true'} | |
-------------------------------------------------- | |
>> Issue: [B303:blacklist] Use of insecure MD2, MD4, MD5, or SHA1 hash function. | |
Severity: Medium Confidence: High | |
CWE: CWE-327 (https://cwe.mitre.org/data/definitions/327.html) | |
Location: manila/share/drivers/netapp/dataontap/client/client_cmode.py:1669:20 | |
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b303-md5 | |
1667 if e.code != netapp_api.EOBJECTNOTFOUND: | |
1668 current_config_name = ( | |
1669 hashlib.md5( | |
1670 current_security_service['id'].encode( | |
1671 "latin-1")).hexdigest()) | |
1672 msg = _("An error occurred while deleting original LDAP " | |
1673 "client configuration %(current_config)s. " | |
-------------------------------------------------- | |
>> Issue: [B110:try_except_pass] Try, Except, Pass detected. | |
Severity: Low Confidence: High | |
CWE: CWE-703 (https://cwe.mitre.org/data/definitions/703.html) | |
Location: manila/share/drivers/netapp/utils.py:221:8 | |
More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b110_try_except_pass.html | |
219 try: | |
220 self._version = version.version_info.version_string() | |
221 except Exception: | |
222 pass | |
223 | |
-------------------------------------------------- | |
>> Issue: [B110:try_except_pass] Try, Except, Pass detected. | |
Severity: Low Confidence: High | |
CWE: CWE-703 (https://cwe.mitre.org/data/definitions/703.html) | |
Location: manila/share/drivers/netapp/utils.py:227:8 | |
More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b110_try_except_pass.html | |
225 try: | |
226 self._release = version.version_info.release_string() | |
227 except Exception: | |
228 pass | |
229 | |
-------------------------------------------------- | |
>> Issue: [B110:try_except_pass] Try, Except, Pass detected. | |
Severity: Low Confidence: High | |
CWE: CWE-703 (https://cwe.mitre.org/data/definitions/703.html) | |
Location: manila/share/drivers/netapp/utils.py:233:8 | |
More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b110_try_except_pass.html | |
231 try: | |
232 self._platform = platform.platform() | |
233 except Exception: | |
234 pass | |
235 | |
-------------------------------------------------- | |
>> Issue: [B110:try_except_pass] Try, Except, Pass detected. | |
Severity: Low Confidence: High | |
CWE: CWE-703 (https://cwe.mitre.org/data/definitions/703.html) | |
Location: manila/share/drivers/netapp/utils.py:249:8 | |
More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b110_try_except_pass.html | |
247 if ver: | |
248 self._version = ver | |
249 except Exception: | |
250 pass | |
251 try: | |
-------------------------------------------------- | |
>> Issue: [B110:try_except_pass] Try, Except, Pass detected. | |
Severity: Low Confidence: High | |
CWE: CWE-703 (https://cwe.mitre.org/data/definitions/703.html) | |
Location: manila/share/drivers/netapp/utils.py:255:8 | |
More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b110_try_except_pass.html | |
253 if rel: | |
254 self._release = rel | |
255 except Exception: | |
256 pass | |
257 | |
-------------------------------------------------- | |
>> Issue: [B303:blacklist] Use of insecure MD2, MD4, MD5, or SHA1 hash function. | |
Severity: Medium Confidence: High | |
CWE: CWE-327 (https://cwe.mitre.org/data/definitions/327.html) | |
Location: manila/share/drivers/nexenta/ns5/jsonrpc.py:554:20 | |
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b303-md5 | |
552 if isinstance(path, str): | |
553 path = path.encode('utf-8') | |
554 self.lock = hashlib.md5(path).hexdigest() | |
555 | |
556 def url(self, path): | |
-------------------------------------------------- | |
>> Issue: [B405:blacklist] Using xml.etree.cElementTree to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.cElementTree with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called. | |
Severity: Low Confidence: High | |
CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html) | |
Location: manila/share/drivers/qnap/api.py:26:4 | |
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_imports.html#b405-import-xml-etree | |
24 | |
25 try: | |
26 import xml.etree.cElementTree as ET | |
27 except ImportError: | |
28 import xml.etree.ElementTree as ET | |
-------------------------------------------------- | |
>> Issue: [B405:blacklist] Using xml.etree.ElementTree to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.ElementTree with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called. | |
Severity: Low Confidence: High | |
CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html) | |
Location: manila/share/drivers/qnap/api.py:28:4 | |
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_imports.html#b405-import-xml-etree | |
26 import xml.etree.cElementTree as ET | |
27 except ImportError: | |
28 import xml.etree.ElementTree as ET | |
29 | |
30 from oslo_log import log as logging | |
-------------------------------------------------- | |
>> Issue: [B323:blacklist] By default, Python will create a secure, verified ssl context for use in such classes as HTTPSConnection. However, it still allows using an insecure context via the _create_unverified_context that reverts to the previous behavior that does not validate certificates or perform hostname checks. | |
Severity: Medium Confidence: High | |
CWE: CWE-295 (https://cwe.mitre.org/data/definitions/295.html) | |
Location: manila/share/drivers/qnap/api.py:86:26 | |
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b323-unverified-context | |
84 if isSSL: | |
85 if hasattr(ssl, '_create_unverified_context'): | |
86 context = ssl._create_unverified_context() | |
87 connection = http_client.HTTPSConnection(ip, | |
88 port=port, | |
-------------------------------------------------- | |
>> Issue: [B309:blacklist] Use of HTTPSConnection on older versions of Python prior to 2.7.9 and 3.4.3 do not provide security, see https://wiki.openstack.org/wiki/OSSN/OSSN-0033 | |
Severity: Medium Confidence: High | |
CWE: CWE-319 (https://cwe.mitre.org/data/definitions/319.html) | |
Location: manila/share/drivers/qnap/api.py:87:29 | |
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b309-httpsconnection | |
85 if hasattr(ssl, '_create_unverified_context'): | |
86 context = ssl._create_unverified_context() | |
87 connection = http_client.HTTPSConnection(ip, | |
88 port=port, | |
89 context=context) | |
90 else: | |
91 connection = http_client.HTTPSConnection(ip, | |
-------------------------------------------------- | |
>> Issue: [B309:blacklist] Use of HTTPSConnection on older versions of Python prior to 2.7.9 and 3.4.3 do not provide security, see https://wiki.openstack.org/wiki/OSSN/OSSN-0033 | |
Severity: Medium Confidence: High | |
CWE: CWE-319 (https://cwe.mitre.org/data/definitions/319.html) | |
Location: manila/share/drivers/qnap/api.py:91:29 | |
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b309-httpsconnection | |
89 context=context) | |
90 else: | |
91 connection = http_client.HTTPSConnection(ip, | |
92 port=port) | |
93 else: | |
94 connection = http_client.HTTPConnection(ip, port) | |
-------------------------------------------------- | |
>> Issue: [B314:blacklist] Using xml.etree.ElementTree.fromstring to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.ElementTree.fromstring with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called | |
Severity: Medium Confidence: High | |
CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html) | |
Location: manila/share/drivers/qnap/api.py:111:15 | |
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b313-b320-xml-bad-elementtree | |
109 LOG.debug('response data: %s', data) | |
110 | |
111 root = ET.fromstring(data) | |
112 | |
113 display_model_name = root.find('model/displayModelName').text | |
-------------------------------------------------- | |
>> Issue: [B314:blacklist] Using xml.etree.ElementTree.fromstring to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.ElementTree.fromstring with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called | |
Severity: Medium Confidence: High | |
CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html) | |
Location: manila/share/drivers/qnap/api.py:161:15 | |
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b313-b320-xml-bad-elementtree | |
159 | |
160 res_details = self._execute_and_get_response_details(self.ip, url) | |
161 root = ET.fromstring(res_details['data']) | |
162 | |
163 if root.find('authPassed').text == '0': | |
-------------------------------------------------- | |
>> Issue: [B314:blacklist] Using xml.etree.ElementTree.fromstring to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.ElementTree.fromstring with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called | |
Severity: Medium Confidence: High | |
CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html) | |
Location: manila/share/drivers/qnap/api.py:228:15 | |
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b313-b320-xml-bad-elementtree | |
226 | |
227 res_details = self._execute_and_get_response_details(self.ip, url) | |
228 root = ET.fromstring(res_details['data']) | |
229 | |
230 if root.find('authPassed').text == '0': | |
-------------------------------------------------- | |
>> Issue: [B314:blacklist] Using xml.etree.ElementTree.fromstring to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.ElementTree.fromstring with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called | |
Severity: Medium Confidence: High | |
CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html) | |
Location: manila/share/drivers/qnap/api.py:265:15 | |
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b313-b320-xml-bad-elementtree | |
263 | |
264 res_details = self._execute_and_get_response_details(self.ip, url) | |
265 root = ET.fromstring(res_details['data']) | |
266 | |
267 if root.find('authPassed').text == '0': | |
-------------------------------------------------- | |
>> Issue: [B314:blacklist] Using xml.etree.ElementTree.fromstring to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.ElementTree.fromstring with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called | |
Severity: Medium Confidence: High | |
CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html) | |
Location: manila/share/drivers/qnap/api.py:290:15 | |
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b313-b320-xml-bad-elementtree | |
288 res_details = self._execute_and_get_response_details(self.ip, url) | |
289 | |
290 root = ET.fromstring(res_details['data']) | |
291 if root.find('authPassed').text == '0': | |
292 raise exception.ShareBackendException(msg=MSG_SESSION_EXPIRED) | |
-------------------------------------------------- | |
>> Issue: [B314:blacklist] Using xml.etree.ElementTree.fromstring to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.ElementTree.fromstring with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called | |
Severity: Medium Confidence: High | |
CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html) | |
Location: manila/share/drivers/qnap/api.py:324:15 | |
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b313-b320-xml-bad-elementtree | |
322 | |
323 res_details = self._execute_and_get_response_details(self.ip, url) | |
324 root = ET.fromstring(res_details['data']) | |
325 if root.find('authPassed').text == '0': | |
326 raise exception.ShareBackendException(msg=MSG_SESSION_EXPIRED) | |
-------------------------------------------------- | |
>> Issue: [B314:blacklist] Using xml.etree.ElementTree.fromstring to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.ElementTree.fromstring with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called | |
Severity: Medium Confidence: High | |
CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html) | |
Location: manila/share/drivers/qnap/api.py:361:15 | |
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b313-b320-xml-bad-elementtree | |
359 | |
360 res_details = self._execute_and_get_response_details(self.ip, url) | |
361 root = ET.fromstring(res_details['data']) | |
362 if root.find('authPassed').text == '0': | |
363 raise exception.ShareBackendException(msg=MSG_SESSION_EXPIRED) | |
-------------------------------------------------- | |
>> Issue: [B314:blacklist] Using xml.etree.ElementTree.fromstring to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.ElementTree.fromstring with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called | |
Severity: Medium Confidence: High | |
CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html) | |
Location: manila/share/drivers/qnap/api.py:389:15 | |
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b313-b320-xml-bad-elementtree | |
387 | |
388 res_details = self._execute_and_get_response_details(self.ip, url) | |
389 root = ET.fromstring(res_details['data']) | |
390 if root.find('authPassed').text == '0': | |
391 raise exception.ShareBackendException(msg=MSG_SESSION_EXPIRED) | |
-------------------------------------------------- | |
>> Issue: [B314:blacklist] Using xml.etree.ElementTree.fromstring to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.ElementTree.fromstring with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called | |
Severity: Medium Confidence: High | |
CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html) | |
Location: manila/share/drivers/qnap/api.py:431:15 | |
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b313-b320-xml-bad-elementtree | |
429 | |
430 res_details = self._execute_and_get_response_details(self.ip, url) | |
431 root = ET.fromstring(res_details['data']) | |
432 | |
433 if root.find('authPassed').text == '0': | |
-------------------------------------------------- | |
>> Issue: [B314:blacklist] Using xml.etree.ElementTree.fromstring to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.ElementTree.fromstring with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called | |
Severity: Medium Confidence: High | |
CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html) | |
Location: manila/share/drivers/qnap/api.py:453:15 | |
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b313-b320-xml-bad-elementtree | |
451 | |
452 res_details = self._execute_and_get_response_details(self.ip, url) | |
453 root = ET.fromstring(res_details['data']) | |
454 if root.find('authPassed').text == '0': | |
455 raise exception.ShareBackendException(msg=MSG_SESSION_EXPIRED) | |
-------------------------------------------------- | |
>> Issue: [B314:blacklist] Using xml.etree.ElementTree.fromstring to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.ElementTree.fromstring with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called | |
Severity: Medium Confidence: High | |
CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html) | |
Location: manila/share/drivers/qnap/api.py:485:15 | |
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b313-b320-xml-bad-elementtree | |
483 | |
484 res_details = self._execute_and_get_response_details(self.ip, url) | |
485 root = ET.fromstring(res_details['data']) | |
486 if root.find('authPassed').text == '0': | |
487 raise exception.ShareBackendException(msg=MSG_SESSION_EXPIRED) | |
-------------------------------------------------- | |
>> Issue: [B314:blacklist] Using xml.etree.ElementTree.fromstring to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.ElementTree.fromstring with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called | |
Severity: Medium Confidence: High | |
CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html) | |
Location: manila/share/drivers/qnap/api.py:525:15 | |
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b313-b320-xml-bad-elementtree | |
523 | |
524 res_details = self._execute_and_get_response_details(self.ip, url) | |
525 root = ET.fromstring(res_details['data']) | |
526 | |
527 if root.find('authPassed').text == '0': | |
-------------------------------------------------- | |
>> Issue: [B314:blacklist] Using xml.etree.ElementTree.fromstring to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.ElementTree.fromstring with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called | |
Severity: Medium Confidence: High | |
CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html) | |
Location: manila/share/drivers/qnap/api.py:548:15 | |
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b313-b320-xml-bad-elementtree | |
546 | |
547 res_details = self._execute_and_get_response_details(self.ip, url) | |
548 root = ET.fromstring(res_details['data']) | |
549 if root.find('authPassed').text == '0': | |
550 raise exception.ShareBackendException(msg=MSG_SESSION_EXPIRED) | |
-------------------------------------------------- | |
>> Issue: [B314:blacklist] Using xml.etree.ElementTree.fromstring to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.ElementTree.fromstring with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called | |
Severity: Medium Confidence: High | |
CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html) | |
Location: manila/share/drivers/qnap/api.py:584:15 | |
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b313-b320-xml-bad-elementtree | |
582 | |
583 res_details = self._execute_and_get_response_details(self.ip, url) | |
584 root = ET.fromstring(res_details['data']) | |
585 if root.find('authPassed').text == '0': | |
586 raise exception.ShareBackendException(msg=MSG_SESSION_EXPIRED) | |
-------------------------------------------------- | |
>> Issue: [B314:blacklist] Using xml.etree.ElementTree.fromstring to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.ElementTree.fromstring with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called | |
Severity: Medium Confidence: High | |
CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html) | |
Location: manila/share/drivers/qnap/api.py:608:15 | |
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b313-b320-xml-bad-elementtree | |
606 | |
607 res_details = self._execute_and_get_response_details(self.ip, url) | |
608 root = ET.fromstring(res_details['data']) | |
609 if root.find('authPassed').text == '0': | |
610 raise exception.ShareBackendException(msg=MSG_SESSION_EXPIRED) | |
-------------------------------------------------- | |
>> Issue: [B314:blacklist] Using xml.etree.ElementTree.fromstring to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.ElementTree.fromstring with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called | |
Severity: Medium Confidence: High | |
CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html) | |
Location: manila/share/drivers/qnap/api.py:630:15 | |
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b313-b320-xml-bad-elementtree | |
628 | |
629 res_details = self._execute_and_get_response_details(self.ip, url) | |
630 root = ET.fromstring(res_details['data']) | |
631 if root.find('authPassed').text == '0': | |
632 raise exception.ShareBackendException(msg=MSG_SESSION_EXPIRED) | |
-------------------------------------------------- | |
>> Issue: [B314:blacklist] Using xml.etree.ElementTree.fromstring to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.ElementTree.fromstring with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called | |
Severity: Medium Confidence: High | |
CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html) | |
Location: manila/share/drivers/qnap/api.py:653:15 | |
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b313-b320-xml-bad-elementtree | |
651 | |
652 res_details = self._execute_and_get_response_details(self.ip, url) | |
653 root = ET.fromstring(res_details['data']) | |
654 if root.find('authPassed').text == '0': | |
655 raise exception.ShareBackendException(msg=MSG_SESSION_EXPIRED) | |
-------------------------------------------------- | |
>> Issue: [B314:blacklist] Using xml.etree.ElementTree.fromstring to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.ElementTree.fromstring with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called | |
Severity: Medium Confidence: High | |
CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html) | |
Location: manila/share/drivers/qnap/api.py:684:15 | |
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b313-b320-xml-bad-elementtree | |
682 | |
683 res_details = self._execute_and_get_response_details(self.ip, url) | |
684 root = ET.fromstring(res_details['data']) | |
685 if root.find('authPassed').text == '0': | |
686 raise exception.ShareBackendException(msg=MSG_SESSION_EXPIRED) | |
-------------------------------------------------- | |
>> Issue: [B501:request_with_no_cert_validation] Requests call with verify=False disabling SSL certificate checks, security issue. | |
Severity: High Confidence: High | |
CWE: CWE-295 (https://cwe.mitre.org/data/definitions/295.html) | |
Location: manila/share/drivers/tegile/tegile.py:133:18 | |
More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b501_request_with_no_cert_validation.html | |
131 data=params, | |
132 auth=(self._username, self._password), | |
133 verify=False) | |
134 else: | |
135 req = requests.get(url, | |
136 auth=(self._username, self._password), | |
137 verify=False) | |
138 | |
-------------------------------------------------- | |
>> Issue: [B501:request_with_no_cert_validation] Requests call with verify=False disabling SSL certificate checks, security issue. | |
Severity: High Confidence: High | |
CWE: CWE-295 (https://cwe.mitre.org/data/definitions/295.html) | |
Location: manila/share/drivers/tegile/tegile.py:137:18 | |
More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b501_request_with_no_cert_validation.html | |
135 req = requests.get(url, | |
136 auth=(self._username, self._password), | |
137 verify=False) | |
138 | |
139 if fine_logging: | |
140 LOG.debug('TegileAPIExecutor(%(classname)s) method: %(method)s, ' | |
141 'return code: %(retcode)s', | |
-------------------------------------------------- | |
>> Issue: [B303:blacklist] Use of insecure MD2, MD4, MD5, or SHA1 hash function. | |
Severity: Medium Confidence: High | |
CWE: CWE-327 (https://cwe.mitre.org/data/definitions/327.html) | |
Location: manila/share/drivers/veritas/veritas_isa.py:144:15 | |
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b303-md5 | |
142 name1 = name[:index] | |
143 name2 = name[index:] | |
144 crc1 = hashlib.md5(name1.encode('utf-8')).hexdigest()[:8] | |
145 crc2 = hashlib.md5(name2.encode('utf-8')).hexdigest()[:8] | |
146 return crc1 + '-' + crc2 | |
-------------------------------------------------- | |
>> Issue: [B303:blacklist] Use of insecure MD2, MD4, MD5, or SHA1 hash function. | |
Severity: Medium Confidence: High | |
CWE: CWE-327 (https://cwe.mitre.org/data/definitions/327.html) | |
Location: manila/share/drivers/veritas/veritas_isa.py:145:15 | |
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b303-md5 | |
143 name2 = name[index:] | |
144 crc1 = hashlib.md5(name1.encode('utf-8')).hexdigest()[:8] | |
145 crc2 = hashlib.md5(name2.encode('utf-8')).hexdigest()[:8] | |
146 return crc1 + '-' + crc2 | |
147 | |
-------------------------------------------------- | |
>> Issue: [B310:blacklist] Audit url open for permitted schemes. Allowing use of file:/ or custom schemes is often unexpected. | |
Severity: Medium Confidence: High | |
CWE: CWE-22 (https://cwe.mitre.org/data/definitions/22.html) | |
Location: manila/share/drivers/zfssa/restclient.py:285:27 | |
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b310-urllib-urlopen | |
283 while retry < maxreqretries: | |
284 try: | |
285 response = urlrequest.urlopen(req, timeout=self.timeout) | |
286 except urlerror.HTTPError as err: | |
287 if err.code == http_client.NOT_FOUND: | |
-------------------------------------------------- | |
>> Issue: [B303:blacklist] Use of insecure MD2, MD4, MD5, or SHA1 hash function. | |
Severity: Medium Confidence: High | |
CWE: CWE-327 (https://cwe.mitre.org/data/definitions/327.html) | |
Location: manila/share/manager.py:404:36 | |
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b303-md5 | |
402 | |
403 if new_backend_info: | |
404 new_backend_info_hash = hashlib.sha1(str( | |
405 sorted(new_backend_info.items())).encode('utf-8')).hexdigest() | |
406 if (old_backend_info_hash == new_backend_info_hash and | |
407 backend_info_implemented): | |
-------------------------------------------------- | |
>> Issue: [B110:try_except_pass] Try, Except, Pass detected. | |
Severity: Low Confidence: High | |
CWE: CWE-703 (https://cwe.mitre.org/data/definitions/703.html) | |
Location: manila/test.py:199:12 | |
More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b110_try_except_pass.html | |
197 try: | |
198 x.kill() | |
199 except Exception: | |
200 pass | |
201 | |
-------------------------------------------------- | |
>> Issue: [B601:paramiko_calls] Possible shell injection via Paramiko call, check inputs are properly sanitized. | |
Severity: Medium Confidence: Medium | |
CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html) | |
Location: manila/utils.py:710:20 | |
More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b601_paramiko_calls.html | |
708 cmd = 'cat > "%s"' % tmp_filename | |
709 cmd2 = 'mv -f "%s" "%s"' % (tmp_filename, filename) | |
710 stdin, __, __ = ssh.exec_command(cmd) | |
711 stdin.write(contents) | |
712 stdin.close() | |
-------------------------------------------------- | |
>> Issue: [B601:paramiko_calls] Possible shell injection via Paramiko call, check inputs are properly sanitized. | |
Severity: Medium Confidence: Medium | |
CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html) | |
Location: manila/utils.py:714:4 | |
More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b601_paramiko_calls.html | |
712 stdin.close() | |
713 stdin.channel.shutdown_write() | |
714 ssh.exec_command(cmd2) | |
-------------------------------------------------- | |
Code scanned: | |
Total lines of code: 101135 | |
Total lines skipped (#nosec): 0 | |
Run metrics: | |
Total issues (by severity): | |
Undefined: 0 | |
Low: 34 | |
Medium: 52 | |
High: 5 | |
Total issues (by confidence): | |
Undefined: 0 | |
Low: 0 | |
Medium: 9 | |
High: 82 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment